ALT-PU-2025-9797-4

BDU:2023-06559

HIGH7.5

Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-10-11Modified: 2026-04-22

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2023-44487

BDU:2024-02604

HIGH7.5

Уязвимость сервера приложений Apache Tomcat, связанная с неполной очисткой временных или вспомогательных ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-04-04Modified: 2025-08-22

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2024-23672

BDU:2024-11286

CRITICAL9.8

Уязвимость сервлета DefaultServlet сервера приложений Apache Tomcat, позволяющая нарушителю выполнить произвольный код

Published: 2024-12-18Modified: 2025-08-22

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2024-50379

CVE-2023-44487

HIGH7.5

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Published: 2023-10-10Modified: 2025-11-07

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2024-23672

MEDIUM6.3

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Published: 2024-03-13Modified: 2025-08-07

CVSS 3.xMEDIUM 6.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

CVE-2024-50379

CRITICAL9.8

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Published: 2024-12-17Modified: 2025-11-03

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-5j33-cvvr-w245

HIGH7.2

Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

Published: 2024-12-17Modified: 2025-11-04

CVSS 3.xHIGH 7.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0HIGH 7.2

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

GHSA-m425-mq94-257g

HIGH7.5

gRPC-Go HTTP/2 Rapid Reset vulnerability

Published: 2023-10-26Modified: 2024-07-19

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

GHSA-qppj-fm5r-hxr3

MEDIUM6.9

HTTP/2 Stream Cancellation Attack

Published: 2023-10-11Modified: 2025-10-22

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A

References

GHSA-v682-8vv8-vpwr

MEDIUM6.3

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

Published: 2024-03-13Modified: 2025-08-08

CVSS 3.xMEDIUM 6.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

GHSA-xpw8-rcwv-8f8p

HIGH7.5

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack

Published: 2023-10-11Modified: 2023-11-07

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Package update tomcat in branch c9f2

Closed issues (11)

Уязвимость сервера приложений Apache Tomcat, связанная с неполной очисткой временных или вспомогательных ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость сервлета DefaultServlet сервера приложений Apache Tomcat, позволяющая нарушителю выполнить произвольный код

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

gRPC-Go HTTP/2 Rapid Reset vulnerability

HTTP/2 Stream Cancellation Attack

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack